KB44334 - Impact of PCS appliance when LDAP Channel Binding and LDAP Signing requirement on Active Directory Domain Controllers based on Microsoft security Advisory ADV190023

Referring to the Microsoft Security Advisory ADV190023, Microsoft intends to release a security update on Windows Update to enable LDAP channel binding and LDAP signing hardening changes and anticipate this update will be available in March 2020.

Until then,to address this Microsoft recommends the administrators to enable LDAP channel binding and LDAP signing on Active Directory Domain Controllers.


 

As Microsoft strongly recommends the changes, hence to overcome the compatibility scenario changes required on PCS appliance.
 

Microsoft recommends administrators make the hardening changes described in ADV190023 because when using default settings, an elevation of privilege vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully forward an authentication request to a Windows LDAP server, such as a system running AD DS or AD LDS, which has not configured to require signing or sealing on incoming connections.
 

Pulse Secure is currently testing LDAP authentication with the changes described in ADV190023 and will update the KB if we find any issues in testing, currently we have not found any issues.

LdapEnforceChannelBinding Path for Active Directory Domain Services (AD DS) domain controllers:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters 

Path for Active Directory Lightweight Directory Services (AD LDS) servers:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<LDS instance name>\Parameters
DWORD: LdapEnforceChannelBinding

DWORD value: 0 indicates disabled. No channel binding validation is performed. This is the behavior of all servers that have not been updated.

DWORD value: 1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility.

DWORD value: 2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so.

When the domain controllers have enabled or enforced "LdapEnforceChannelBinding" and when we use these domain controllers on the Pulse Secure appliance,then the communication happens only through port 636 and not on 389.

That is, Under the LDAP server> LDAP Server Type > even though you use "Active Directory" or "Generic",

i) LDAPs (636) should be used.
ii) Unencrypted will not work as it uses 389.

NOTE:If  Authentication server is Active directory, we would like to inform that still testing is going on and will update the KB if we find any known issues.